Which of the following statements correctly characterizes SQL injection?

SQL injection is a code injection technique that occurs when user-supplied input is embedded into an SQL statement in a way that allows the input to alter the query’s structure. When an application constructs SQL queries by concatenating input without proper validation or parameterization, an attacker can inject SQL syntax that changes the logic of the query, enabling actions like bypassing authentication, accessing unauthorized data, or modifying the database. This is why the statement describing it as placing malicious code into SQL statements via user input is the best fit. It’s not about password cracking, not about improving SQL performance, and it isn’t a network protocol for SQL servers. To prevent it, use parameterized queries or prepared statements, validate and sanitize inputs, apply least-privilege database accounts, and handle errors securely.